'Comment Crew' Back in Action Against US Cybertargets, Says Mandiant

A brief reprieve in U.S. cyberattacks appears to be over. The same security company that tied a group of U.S.-focused Chinese hackers to that country's military is apparently back to its old tricks. When combined with reports that Iranian hackers have now moved from banks to targeting oil and gas infrastructure, the result is renewed concerns about the integrity of domestic computer systems.

China and Iran were accused last week of renewing their cyberattacks on U.S. computer systems after a brief hiatus.

A gang of Chinese hackers allegedly affiliated with the country's People's Liberation Army has resumed infiltrating U.S. computer systems after making a strategic withdrawal earlier this year, according to cybersecurity firm Mandiant.

Mandiant blew the whistle on the Chinese bandits known as Unit 61398, or the "Comment Crew," in a special report released in February. The company, which has been hired by The New York Times and others to fight hacker intrusions, said the cyberposse was operating at 60 to 70 percent of prior activity levels. It did not disclose any of the group's targets.

The renewed attacks are just more evidence of nation-states institutionalizing cyberespionage, said Torsten George, vice president for marketing for
Agiliance.

"Incoming threats are not volleys," he told TechNewsWorld. "They are akin to silent AK-47 automatic rifle fire, continuous and destructive."

Aurora Reprise

China found itself in more hot water last week.

The Washington Post, based on information from current and former government officials, reported that a database of federal law enforcement surveillance targets was among the targets of the Chinese hackers who mounted a cyberassault on Google and more than 20 other companies in 2010.

The intent of the attackers, who were part of what's become known as "Operation Aurora," was to find out if any of China's intelligence operatives were being watched by the U.S. Department of Justice and FBI.

Google is remaining mum on the subject. At the time of the break-in, it said that the hackers were after information on Chinese activists, but didn't mention anything about the surveillance database.

Crusing for Bruising

Iran, too, appears to be renewing its cyberattacks on the U.S. This time, instead of banks, energy companies are its targets.

The energy intrusions are more alarming than the bank attacks, unnamed U.S. officials told The Wall Street Journal last week. That's because the hackers apparently were able to gain access to control systems that enable them to manipulate oil and gas pipelines.

Iran is edging closer to provoking U.S. retaliation, the officials told the Journal.

Industrial control systems are ripe targets for hackers, said Tom Cross, director of security for
Lancope.

"It is difficult to fix security flaws with these systems because they aren't designed to be patched and restarted frequently," he told TechNewsWorld.

Markey Report

The Journal's story appeared just days after a report on infrastructure vulnerabilities was released by two U.S. Reps. Edward J. Markey (D-Mass.) and Henry A. Waxman (D-Calif.). In that report, the legislators said that over the last few years the threat of a crippling cyberattack against the U.S. electric grid has increased significantly.

Both Congress and President Obama have begun to move in the right direction in recent times, noted Chris Petersen, founder and CTO of
LogRhythm.

"However, we may be running short on time," he told TechNewsWorld.

"The primary concern is that threats with a willingness to launch destructive attacks will develop these capabilities prior to U.S. critical infrastructure companies being able to defend themselves," Petersen said.

The report in the Journal, he added, "is positive evidence that some of these threats are ahead of our defenses."

BYOH?

To some organizations, BYOD might as well stand for "Bring Your Own Headache." That's because blending BYOD and security can be like mixing oil and water.

One solution offered by the security industry has been mobile device management. It allows all an organization's devices to be managed through policies that can be implemented by a central administrator.

MDM, though, can fall short on protecting users and their devices from the numerous cyberthreats lurking around every node on the Internet.

Last week,
Marble Security rolled out what it likes to call "the next generation in mobile security." It reaches beyond MDM solutions to provide security on whatever network a user is on and whatever device they're using.

The cornerstone of the Marble's mobile security service is its Mobile Perimeter Defense technology. According to Marble, it learns and adapts by continuously assessing massive amounts of machine data -- phishing sites, bad apps and such.

With that data, it can dynamically assign risk scores to each device. Those scores can be used by administrators, or users themselves, to identify threats in real time and instantly mitigate them.

"Instead of using static policies like MDM, this is a behavioral learning thing in the cloud that takes the suite to the next level of mobile security management," Marble Security Chairman and CTO Dave Jevans told TechNewsWorld.

Data Breach Diary

May 20. Washington Post reports that database containing surveillance information of federal law enforcement agencies was target of Aurora hackers who attacked Google's systems in 2010.

May 20. California state senate approves and sends to Assembly bill requiring individuals and companies that maintain computerized data about their clients or customers to notify them if a security breach is detected.

May 21. U.S. Department of Health and Human Services fines Idaho State University US$400,000 because its Pocatello Family Medicine Clinic exposed health information for 17,500 patients by disabling a firewall for at least 10 months.

May 22. U.S. Department of Homeland Security discloses that personal information for tens of thousands of current and former employees at the agency is at risk after the discovery of a vulnerability in a vendor's system used for processing background investigations. Personal sensitive information on the employees, including name, Social Security numbers and date of birth stored with the vendor has been potentially accessible by an unauthorized user since July 2009, the agency said. However, there is no evidence that any data was lost or stolen.

May 23. Twitter announces it is offering two-factor authenticaton to its users.